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Abstract — Time-memory-data (TMD) trade-off attack is a well- 
studied teclinique ttiat lias been applied on many stream and 
blocli cipliers. Current TMD attacks by Biryukov-Shamir (BS- 
TMD), Hong-Sarkar (HS-TMD) and Dunkelman-Keller (DK- 
TMD) has been applied to ciphers like Grain- vl and AES- 192/256 
modes of operation to break them with online complexity faster 
than exhaustive search. However, there is still a limitation because 
the precomputation is slower than exhaustive search for these 
attacks. In this paper, we introduce a new TMD attack that can 
break Estream ciphers and block cipher standards with both pre- 
computation and online attack complexity faster than exhaustive 
search. The attack works whenever the IV length is shorter 
than the key length. Therefore, Estream ciphers like Grain- 
vl. Rabbit, Salsa20, SOSEMANUK, MICKEY and block cipher 
standards like AES-192/256, KASUMI, IDEA, SAFER can all be 
broken. We also point out that our attack rely on less stringent 
requirements than known attacks on stream and block ciphers 
such as cube attack and related-key differential/boomerang 
attacks. Finally, we adapt our attack to the multi-user setting 
and show that the attack complexities can be reduced further. 
Zenner had proposed that stream ciphers should be designed 
with IV length equal to key length to resist TMD attacks in the 
multi-user setting. We show that this requirement is not sufficient 
for ciphers Uke Trivium, AES-128 and HC-128 where IV length 
equal key length can all be broken by our multi-user TMD attack. 

keywords: Stream Ciphers, Block Ciphers, Time-Memory- 
Data Trade-Off Attack. 



I. Introduction 

Time-memory trade-off (TMTO) attack was first introduced 
by Hellman in |19|, which is used to invert one-way functions 
y ~ f{x). Some applications of TMTO attacks include 
finding the pre-image of a hash function or finding the secret 
key/secret state of a stream cipher In this method, the attacker 
does a pre-computation that covers the whole search space N 
through multiple arrays, called Hellman Tables. But he only 
stores part of this pre-computation, the start and end points 
of the Hellman tables in a memory of size M. In the online 
attack, he computes the pre-image a; of a target y by making 
use of the Hellman tables with complexity T = N'^/M'^. If 

This is an extended version of our AsiaCCS 2012 paper 121]. We improved 
1211 Proposition 1] to Theorem 2 in this paper to make the characterisation 
of existing TMD attacks more complete, added numerical values for the 
attacks in Tables 1 and 2, and optimized all the examples of |2r| to use less 
memory in the attacks. We include new Sections IVIIIIIXI on applying our 
time-memory-data trade-off attack in the multi-user setting, which has lower 
attack complexities than those of |21 1, and can break established stream cipher 
guidelines which was designed to resist TMD attacks in the multi-user setting. 

The first author is with DSO National Laboratories, Singapore and the 
second author is with Temasek Laboratories, National University of Singapore. 
Singapore (email: kkhoongm@dso.org.sg, tsltch@nus.edu. sg). 



a memory of M — N"^/^ is used, then the online attack has 
complexity T = N'^/^. 

However one limitation of the Hellman attack is that the 
pre-processing complexity P = N is equivalent to exhaus- 
tive search. Thus, it is only useful for ciphers which are 
"marginally breakable", i.e. where it is only feasible to spend 
a lot of resources to do a one-time pre-computation, after 
which, the cipher can be broken easily with much less effort. 
Biryukov and Shamir |8| overcame this limitation for stream 
ciphers by proposing a time-memory-data trade-off attack on 
D keystream bits. By taking windows of n bits where n is 
the state size, the attacker just needs to invert any one of 
the D keystream blocks to find the secret state, from which 
he can deduce all subsequent keystream. The precomputation 
complexity is then P = N/D and online attack complexity 
is T = N'^ /{IVPO"^), but subject to the condition T > 
For example, if both the internal state and the key has the 
same size N, then {P,D,M,T) = (23"/4^ 2"/^^ 2"/^ 2"/^) 
is an admissible attack. Now both pre-computation and onUne 
attack complexity can be less than exhaustive search. 

Because of this attack, subsequent stream cipher designs 
usually have the state size to be 1.5 to 2 times of the key 
size and the Biryukov-Shamir attack can be thwarted. In ||20| . 
Hong and Sarkar noticed that although the state size is now 
twice the key size, the IV size is sometimes very short. So 
they proposed a new time-memory-data trade-off attack that 
instead of mapping the state to the keystream, now maps 
a (Key,IV)-tuple to the keystream. The attack has the same 
trade-off curve as the Biryukov Shamir attack except that the 
search space N is now KV where K is the key space and 
V is the IV space. They applied their attack on the initial 
Estream recommendation of 80-bit key-size and 32-bit IV-size 
for stream ciphers; and on the GSM cipher A5/3, which has 
key size 64-bit and IV size 22-bit. They showed that both were 
insecure and can be attacked with pre-computation and online 
attack complexity less than exhaustive search. 

In fTT], Dunkelman and Keller proposed an alternative time- 
memory-data trade-off attack where D represents the number 
of IV resyncs. They essentially get the same trade-off curve as 
the Biryukov-Shamir attack, but with the condition T > 
replaced by the condition T > D and V > D where V is the 
IV space. With this attack, they manage to decrease the pre- 
processing complexity when attacking modern stream ciphers, 
but it is still at least as slow as exhaustive search on the secret 
key space. 
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A. Our Contribution 

In this paper, we introduce a new time-memory-data trade- 
off attack in which both the pre-processing and online attack 
complexity of modern stream ciphers can be faster than that 
of exhaustive search. The idea is to break up the available 
online data complexity into two parts: Djy to be the number 
of IV re-syncs, and D single to be the number of keystream 
bits available for each IV. We essentially get the same trade- 
off curve as the Biryukov-Shamir attack: P — N/D where 
D = D IV D single and N — KV; and online attack complexity 
T = D + Tsrngie whcrc Ts^ngle = N^/{KPD^). The attack is 
subjected to the conditions V > Div, and Tsingie > D^siiigie- 
We apply this new time-memory-data trade-off attack to vari- 
ous Estream finalists and block ciphers in modes of operations; 
and also study the relationship of the key length and IV length 
in practical attacks. We describe these in detail as follows: 

In Section IV-AI we apply our attack to the Estream finalist 
Grain-vl lUS) with 80-bit key and break it with 2'^'^ pre- 
processing and 2^^* online attack complexity. In comparison, 
the current known attacks on Grain-vl cannot break it with 
both pre-processing and online attack complexity faster than 
exhaustive search. For example, the conditional differential 
cryptanalysis of Knellwolf et al. |22| only breaks 104 out 
of 160 initialization rounds of Grain-vl. It can also be ver- 
ified that the time-memory-data trade-off attacks of Biryukov- 
Shamir, Hong-Sarkar and Dunkelman-Keller El, EqI, IHT) 
all have pre-computation complexity worse than exhaustive 
search. Bjorstad 1 11 1 tried to improve the Biryukov-Shamir 
time-memory-data trade-off attack on Grain-vl, by using a 
guess-and-determine attack to decrease the sampling resistance 
by i? = 2~^^ which results in lower pre-computation complex- 
ity. However, the pre-computation complexity is still between 
2^°"^ and 2^^", which is worse than exhaustive search. 

In Section IV-BI we also apply our attack to the stream 
cipher Grain-128 [181 with 128-bit key and break it with 
2120 pre-processing and 2^°^ online attack complexity. In 
comparison, the current known attacks on Grain-128 cannot 
break it with both pre-processing and online attack complexity 
faster than exhaustive search. For example, the conditional 
differential cryptanalysis of |22l only breaks 213 out of 256 
initialization rounds of Grain-128, while the dynamic cube 
attack of Dinur and Shamir |16| breaks it for a subset of 2^^" 
of the possible keys, and not the full key space. Moreover, cube 
attack requires chosen IV's while our attack does not. It can 
also be verified that the time-memory-data trade-off attacks 
of Biryukov-Shamir, Hong-Sarkar and Dunkelman-Keller 
II20I . ifTTl all have pre-computation complexity worse than 
exhaustive search. 

Based on the framework presented in [l20l Section 4 and 
Table 1], block cipher in modes of operation like CBC, CFB, 
OFB and counter modes can be analyzed by TMD attacks. In 
EOl, Hong and Sarkar attacked AES-192 and AES-256 with 
online complexities of 2^^" and 2^^^ respectively. However, 
their attack did not take pre-computation time into account. 
If taken into consideration, they are P = 2^^" and 2^^^ 
respectively for AES-192 and AES-256, which is worse than 
exhaustive search. In Section |Vll we attack AES-192 with 



pre-computation 2^^^ and online complexity 2^**^; and AES- 
256 with pre-computation 2^^"^ and online complexity 2^^°. 
We also showed that the chaining structure of block cipher 
in modes of operation allows us flexibility in choosing the 
number of resyncs Djv and amount of keystream per resync 
Dsingie for our attack. There exists related-key attacks on 
AES-256 with better complexities: 2^'^" time complexity with 
2^^^ related keys under chosen plaintext for related-key dif- 
ferential attack [TJ and 2^^ time complexity with four related- 
key /subkey under chosen-ciphertext for related-key boomerang 
attack [51. But our attacks are more realistic because it only 
requires sufficiently many IV-resyncs and known/chosen plain- 
text attacks as compared to the more stringent requirements in 
the attacks of |5|, |7|. 

In Section IVII-AI we proved that our attack has both pre- 
processing and online complexity faster than exhaustive search 
if and only if the IV length is less than the key length. 
As an application, we show that besides Grain-vl, the other 
Estream Finahsts such as Rabbit, Salsa20, SOSEMANUK and 
MICKEYlHOl, El, la, la can also be attacked. When apply- 
ing to block ciphers in CBC, CFB, OFB and counter modes of 
operation, the AES finalists Rijndael, Serpent, Twofish, RC6, 
MARS [T5l, fTI, lEll, Ea, a, as well as standard ciphers 
like KASUMI, IDEA and SAFER SK-128 EH, l|23l, ||24| can 
all be attacked by our method. 

In comparison, we prove that the Hong-Sarkar attack cannot 
have both pre-processing and online attack complexity faster 
than exhaustive search if and only if the IV length is at least 
half the key length; while the pre-processing complexity for 
the Dunkelman-Keller attack is always worse than exhaustive 
search. Thus, our attack has better overall complexity as 
compared to previous time-memory-data trade-off attacks on 
ciphers with IV resyncs. It has been suggested by Zenner ll29l 
that the key length should be equal to the IV length in the 
multi-user setting. Our result shows that even in the single- 
user setting, we also require key and IV length to be equally 
long. 

In Section IVII-BI we also propose a more practical appli- 
cation scenario where the IV is allowed to be shorter than 
the key length as long as both the pre-processing and online 
attack are less than an impractically high complexity. If 2" is 
considered an impractical attack complexity to launch, then 
the IV only need to be at least (2s — fc)-bit long when the 
key is fc-bit long. For example, if the secret key is 256-bit and 
we consider 2^^" to be impractical, then the IV can be 64-bit 
long. 

In Section IVIIII we consider our attack in the multi- 
user setting. In this case, the adversary succeeds if he can 
find the secret key of one out of Duser users. This idea 
was first explored by Biryukov et al. (61 in the context of 
breaking UNIX password hashes, and later refined by Choy 
et al. for multiple-encryption ITHI . We show that it can be 
used to improve our attack complexity further: E.g. when 
attacking Grain-128 on 2^*^ users, we can improve both the pre- 
processing and online attack complexities by a factor of 2^° 
to P = 2^^*^ and T = 2^"*, as compared to our earlier attack. 
When attacking AES-256 on 2^" users, we can also reduce 
both our earlier attack complexities by 2^^^ to P = 2^^* and 
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T = 2^^". Moreover in both attacks, less memory is required. 

In Section IIXI we applied the multi-user attack to stream 
ciphers where key length is equal to the IV length. It has been 
suggested as a guideline (e.g. see Zenner ||29l ) that key length 
equal IV length can protect against multi-user TMD attack. 
We showed that this may not be adequate by breaking Trivium 
(80-bit key and IV) with pre-processing 2*^^ and online attack 
2''* when attacking 2^" users. We also broke HC-128 and 
AES-128 (128-bit key and IV) with pre-processing 2^^° and 
online attack 2^^^ when attacking 2^*^ users. We also provide a 
generic proof that pre-processing and online attack complexity 
can always be faster than exhaustive search when we apply our 
attack on stream ciphers with key length equal IV length. 

II. Notations 

In this section, we list down the definition for common 
notations used in this paper 



end point = /'(y) for an end point of each Hellman table. If 
there is a match, then /*^ '^^ (start point) of the corresponding 
start point will be the correct state which gives this keystream. 



Pre-processing: P 

Online Attack: T 
where 



D 

t 2 
N = mt^,M = mt/D. 



Note that the attack is valid only when there is at least one 
table, i.e. t/ D > 1 or T > D'^. 

Remark 1: When D = 1, then the above attack reduces to 
Hellman's TMTO attack which has complexities P = N and 



TMD Attack 
IV 

N 
K 
V 

K 

secure 
^single 

M 
Div 



D 



Single 
■Duser 

D 



Time-Memory-Data trade-off attack. 
Initial Vector 

Search Space in a TMD attack. 

Key space of a cipher. 

IV space of a cipher. 

A Complexity Infeasible for the 

Adversary to Attack. 

Memory used per IV in a TMD attack. 

Total memory used in a TMD attack. 

Number of IV resynchronization 

in a TMD attack. 

Number of online keystream bits per IV 

in a TMD attack. 

Number of users in a 

multi-user TMD attack. 

Total Online Data available in a TMD attack. 



III. Existing Time-Memory-Data Trade-Off (TMD) 
Attacks on Stream Ciphers 

A. Biryukov-Shamir (BS-TMD) Attack Ml? 

Let = 2" be the stream cipher state space, M be memory 
used to store the pre-computed data, D be total number of data 
points (keystream blocks) available in an online attack, P be 
the pre-computation complexity and T be the online attack 
complexity. In the pre-computation phase, choose m, t such 
that mt^ ~ N. Form t/D Hellman tables of size m x t as 
follows: Randomly choose m starting points corresponding to 
n-bit states of the stream cipher. For each start point, form a 
chain of length t by iteratively applying the stream cipher /(•) 
and using the n-bit keystream as the state for the next point. 
Then, mt x t/D = N/D of the state space is covered by 
all the tables. After forming each table, only the start and end 
points are stored in memory, the rest of the data are discarded. 
In total, M = m X t/ D memory is used. 

During an online attack, the attacker collects D target 
keystream blocks. For each target keystream y, he checks if 



B. Hong-Sarkar (HS-TMD) Attack (QUj 

Let K be the key space, V be IV space of a stream cipher. 
The Hong-Sarkar TMD attack is essentially the BS-TMD 
attack, except that the search space is {Key Space} x {IV 
Space} with size N ~ K x V. We treat both the secret key 
and IV as unknown in the pre-computation phase. The rest 
of the attack is similar to the BS-TMD attack, except that 
each point in the Hellman tables corresponds to a particular 
{Key, /V^)-tuple. These points are used to initialize the stream 
cipher /(•) where a {k + v)-hit keystream block is used as the 
next {Key, IV)-tupls. Finally, N/D of the {Key, IV) search 
space is covered by all the tables. 

The trade-off curve for this attack is the same as the BS- 
TMD attack using N ^ K xV. The only difference is that the 
target is now the key and IV space. Hong and Sarkar used this 
idea to attack the GSM A5/3 cipher |20i Section 3.3], where 
the 128-bit state size is twice the 64-bit secret key, so that the 
BS-TMD attack on the state will not have good complexity. 
Due to small IV size of 22 bits, it allows for the HS-TMD 
attack to have online and pre-processing complexity smaller 
than 2^4. 



C. Dunkelman-Keller (DK-TMD) Attack ifTTI/ 

Dunkelman and Keller proposed an alternative TMD attack, 
which exploits the fact that the IV is known during an online 
attack. They consider a scenario where only one keystream 
block corresponding to each of D IV's needs to be known to 
the adversary. First, the adversary performs the TMTO pre- 
computation individually for each fixed IV. The memory and 
pre-computation complexity for a single IV are Msingie and 
K; and the total memory and pre-computation for all V/D 
IV's are M = V/D x M^ingie and P ^ V/D x K respectively. 
In an online attack, the attacker waits for an IV to occur which 
matches one of his pre-computed IV. Since the probability of 
a matching IV is {V/D)/V — 1/D, this is expected to occur 
after D IV-resyncs. Then he proceeds to do a TMTO attack 
for that IV, with complexity K'^/M^^.^^i^ to find the secret 
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key. 



Pre-processing: P 
Online Attack: T 



K X V/D = N/D, 



D 



Single 



because M. 



single 



M X 



D 
V 



D 



APD^ 

So we essentially get the same trade-off curve as the BS-TMD 
and HS-TMD attacks, but with the condition T > D"^ replaced 
by the conditions V > D T > D. 

D. Limitation of the Biryukov- Shamir, Hong-Sarkar and 
Dunkelman-Keller TMD Attacks 

In attacking symmetric ciphers, the usual definition of a 
successful attack is one where the complexity is faster than 
exhaustive search. Sometimes when the key length is short, the 
current literature for time-memory-data trade-off attack allows 
the pre-computation to be worse than exhaustive search, while 
the subsequent online attack is more efficient than exhaustive 
search. For example, Bjorstad applied the BS-TMD attack on 
the Estream finalist Grain-vl (80-bit key, 64-bit IV, 160-bit 
state) ifm where the online attack complexity is between 2^^ 
and 2^^ but the corresponding pre-computation complexity is 
between 2^^" and 2^""^ respectively. 

However, when we apply the known TMD attacks on a 
stream cipher of larger key size, e.g. key size of 128, 192 or 
256 bits, the pre-processing complexity becomes infeasible. 
As an example, let us consider the Grain- 128 stream cipher 
with 128-bit key, 96-bit IV and 256-bit state. 

For the BS-TMD attack, T < 2i28 impHes D < VT < 2^4. 
Then the pre-processing complexity will be P = N/D > 
2256-64 ^ 2192 ^hich is infeasible. 

For the HS-TMD attack, T < 2^^^ impHes D < VT < 2^4. 
Then the pre-processing complexity will be P = N/D = 
KV/D > 2128+96-64 ^ 216" which is infeasible. 

For the DK-TMD attack, preprocessing complexity is P = 
N/D = KV/D. But D being the number of IV's is at most 
V, therefore P > K = 2i28, which is a high complexity. In 
this case, the attacker only does one IV pre-computation, thus 
he needs the sender to cycle through all 2^^ jy resync's before 
he hits the right IV. 

IV. A New Improved Time-Memory-Data Trade-Off 
Attack on Stream Ciphers 

In this section, we propose an improved TMD attack on 
stream ciphers with IV-resync, which performs better than the 
BS-TMD, HS-TMD and DK-TMD attack. More specifically, 
our attack can achieve both pre-processing and online com- 
plexity faster than exhaustive search for scenarios where the 
previous attacks cannot. 

We describe our attack as follows. Let N = K x V. We 
assume a known plaintext attack where each ciphertext bit 
corresponds to a keystream bit. 



1) The attacker fixes two parameters: 

a) Djv'. The number of IV re-syncs in an online 
attack. 

b) D single'- The amount of ciphertext bits (equiva- 
lently keystream bits) transmitted for each IV. 

The total number of online data is = Div x D single- 

2) He chooses V/Diy IV's randomly. For each fixed IV, 
he goes through the pre-processing phase of a BS- 
TMD attack with pre-processing complexity K/Dsingie 
and memory M single- The total pre-processing time is 
V/Div X K/Dsingie = N/D. The total memory used 

is M = V/Div X Msingle- 

3) In an online attack, the attacker waits for an IV to occur 
which matches one of his pre-computed IV. Since the 
probability of a matching IV is {V/ Div)/V — l/Djv, 
this is expected to occur after Djy IV-resyncs. Because 
Dsingie bits are transmitted per IV, the total waiting time 
for a matching IV is £> = Djv Dsingie - 

4) After the attacker observes a matching IV, he proceeds 
to do a TMD attack with complexity: 



^ single 



Af2 X D2 ' 

single single 



to find the secret key. The online complexity, which adds 
D (time to wait for a pre-processed IV) and Tsingie 
(attack complexity on a single IV), is: 



D + T. 



single 



D 



D 



M2 , X D2. , 

single single 



IVl ^iv^single 



because Msingie = M x 



D 



IV 



V 



D 



iV2 



M^D^' 

because N ^ KV, D = Djy Dsingie- 

We essentially get the same complexity as the BS-TMD, HS- 
TMD and DK-TMD attacks. However, we have a different 
set of conditions on the data D = Djv x Dsingie, where 
Div < V and D'^.^^^^ < Tsingie- In the next two sections, 
we shall see how this method enables us to break Grain and 
AES modes of operation with pre-processing and online attack 
complexity faster than exhaustive search, while the previous 
three methods cannot. 



V. Attack on Grain-v1 and Grain- 128 with 
Pre-Processing and Online Complexity Faster 
THAN Exhaustive Search 

Grain-vl is an Estream finalist with key size 80-bit, IV size 
64-bit and state size 160-bit |18|. There is a variant of Grain 
called Grain- 128, which has 128-bit key, 96-bit IV and 256-bit 
state m. 
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A. Attack on Grain-vl 

Consider the HS-TMD attack on Grain-vl with key size 
80-bit and IV size 64-bit. To get online attack complexity 
T < 2®", we need D < \fT < 2"*°. However, that means 
pre-processing complexity P = KV/D = 280+64-40 > 2^°^, 
which is worse than exhaustive search. 

When we apply the BS-TMD attack on the 160-bit state 
space of Grain-vl, we again need D < 2'*'^ to have T < 2*" 
and thus P = N/D > 2^60-40 = 2^"^°. Bjorstad ^ used 
a guess and determine attack on the state space to decrease 
the sampling resistance to i? = 2~^^ so that the condition 
1)2 < T is relaxed to (RD)^ < T. This allows for a lower 
pre-processing complexity of 2^03 However, it is still worse 
than exhaustive search. 

Finally, as noted in Section Illl-DI the DK-TMD attack has 
pre-processing P > 2®°. 

We will apply the attack of Section |IV] on Grain-vl to get 
both pre-processing and online attack complexity less than 2^^ 
We have K = 2^°, V ^ 2^^ and N = K x V = 2^^^. Choose 
Dstngie = 2^° and Div = 2'^^, thus < V. Then the total 
online data needed for the attack is: 

_ 068 



The online complexity satisfies: 



D = Div x I?. 
The pre-processing complexity is: 

p ^ ^ ^ 2^44-68 ^ 2''6 

D 

Choose a memory size of M = 2"^^, then the online attack 
complexity for a single IV is: 

J- single 



_ 22(144-44-68) 

The online complexity satisfies: 



264 ^ 240 



D 



single " 



T = D + Ts^ngle = 2*^^ + 2^4 « 2^ 



B. Attack on Grain-128 

As explained in Section HITDI the BS-TMD, HS-TMD 
and DK-TMD attacks on Grain-128 all have pre-processing 
complexity > 2^"^^ which is infeasible. 

We will apply the attack of Section |IV] on Grain-128 to get 
both pre-processing and online attack complexity < 2^^^. We 
have K = 2^28, V ^ 2^^ wd N ^ K x V ^ 2^24. Choose 
D^,„„,,, = 2^2 and Djy = 2^2 jjjus Djy < V. Then the total 



'single — ^ anu lyjy 

online data needed for the attack is 



D — Div X Dsingle — 2 

The pre-processing complexity is: 

p _ _ 2^24-104 _ 2I2O 

^ D ^ 

Choose a memory size of M = 2""^, then the online attack 
complexity for a single IV is: 

_ 02(224-70-104) _ 9IOO ^ 964 _ ^2 

— ^ — /: > z: — single- 



)104 I olOO 
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VI. Attack on AES in Modes of Operation with 
Pre-Processing and Online Complexity Faster 
THAN Exhaustive Search 

Attacking block ciphers in the OFB and counter modes of 
operation are straightforward adaptation of TMD attacks on 
the key stream, which can be deduced from known plaintexts. 
In 1201 . Hong and Sarkar showed that block ciphers in CBC 
and CFB modes of operation can also be attacked, but in 
a chosen plaintext setting. The plaintext is chosen to be 
repetitions of a fixed message block to, so that each (Key,IV) 
would generate "key stream" blocks (ci, C2, C3, • • • ). 

Remark 2: Moreover, in all four modes of operation, if the 
adversary can obtain D -\- w keystream blocks for a window 
of size w, he just needs any of the keystream block Ci for 
i ~ 1 , . . . , ui to match one of his pre-computed IV in our 
attack. This is because q can be regarded as the IV to generate 
the keystream (ci+i, Q+s, . . .) under the key K. 



A. Attack on AES- 192 

The key space is X = 2^02 jy gp^ce is V 2^28^ 
which imphes N = KV = 2^20. 

In lEOl, the authors applied the HS-TMD attack with M = 

2160 and D = 2^0 to get T = 22(320-i60-80) ^ 2^60 > 

D2. However, the pre-processing complexity is P = N/D = 
2320-80 _ 2240 which is worse than exhaustive search. 

Our Attack: Choose D^ingie = 2'^^, Div = 2^^ < 2^^^, 
then the total online data is 

D = Div x Dgingie = 2^^"^, 
and pre-processing complexity is 

P = Ar/i^ = 2^20-144 ^21™. 

Let the total memory used be M = 2i06. Then, the attack 
complexity of a single IV satisfies 



single 



22(320-106-144) 

Ol40 ^ o96 ^ n2 

Z > Z ^ ^single: 



and the total online attack time is 



T — D + Tsingle — 2^ 



>140 



Because of Remark IH the attacker may not need to wait 
for Div = 2^6 resyncs with 2^^^ data per resync. He could 
wait for e.g., 2™ resyncs and collect 26* data per resync. If 
any of the ciphertext block in the initial 220 data matches a 
pre-computed IV, he will take a window of 2** data to do the 
TMD attack for that IV. Thus the chaining structure for the 
mode of operation allows us to have flexibility when choosing 
Dsingle and Div- 
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B. Attack on AES-256 

The key space K = 2^56 and IV space is 1/ = 2^28, 
which implies N ^ KV = 2^^^. 

In l|20l, the authors applied the HS-TMD attack with M = 
2192 and D = 2^6 to get T = 22(384-192-96) ^ 2^°^ > 
1)2. However, the pre-processing complexity is P = N/D = 
2384-96 „ 2^88 vvhich is worse than exhaustive search. 

Our Attack: Choose Dstngie = 2^4, Div ^ 2^^ < 2^28, 
then total online data is 

D — DjY X Dsingle — 2^®°, 

and pre-processing complexity is 

P = iV/i? = 2^84-160 = 2224. 

Let the total memory used be M — 2^46. Then, the attack 
complexity of a single IV satisfies 

rp _ 92(384-160-160) 

^ single — ^ 



= 21^6 > 2'^" = D 



128 



single ' 



and the total online attack time is 



T = D + T,, 



= 2' 



1156 



il60 



Similar to the previous attack, the adversary has flexibility 
in choosing Dgingie and Djy because of the chaining structure 
of modes of operation as explained in Remark |2] 

For AES-256, there exist related-key attacks with better 
complexities. Related-key differential attack can break AES- 
256 with 2^3" time complexity based on 2^^^ related keys under 
chosen plaintext attack Q. 

There is also a related-key boomerang attack with 2^^ time 
complexity using a quartet of four related-key under chosen- 
ciphertext decryption |5|. However, two of the key-relations 
in the related-key quartet are subkey relations, which are even 
harder to achieve in practice because the adversary will need 
to control the key schedule, and not just the keys. 

In comparison, our attacks are more realistic because it 
only requires sufficiently many IV-resyncs and known/chosen 
plaintext as compared to the existence of related-key/related- 
subkey pairs and chosen-plaintext/chosen-ciphertext attacks. 

VII. Some Practical Considerations 

A. Choice of Key-IV Length for Protection or Against Our 
TMD Attack 

In this section, we study the condition of the attack of 
Section |IV]having pre-processing and online attack complexity 
faster than exhaustive search. From it, we deduce what the IV 
length should be to defend against this attack. 

Theorem 1: Consider a stream cipher with Key Space K = 
2^ and IV space F = 2^. 

1) If w > fc and we require the online attack complexity 
to satisfy T < K for the attack in Section |IV] then the 
pre-processing complexity satisfies P > K. 

2) If u < k, then the pre-processing and online complexity 
of the attack in Section |IV] can both be faster than 
exhaustive search, i.e. P,T < K. 



Proof: 

1) For the online complexity T = D + Tgingie to be less 
than K, this implies D < K. Then the preprocessing 
complexity is as follows: 

N _ KV 

15 ^ IT 

/f2 

> -jj, by assumption, V > K 

> K, as D < K. 

2) Choose Ms^ngle = 2'=/2 and Ds^ngle ^ 2^1^. Then the 
online attack complexity for a single IV is: 

Tsingle - r)2 

single single 

_ r,2(fe-fe/2-/£/4) _ r,fe/2 ^ n2 
— ^ — ^ ^ i-' single- 

Choose. Djv such that: 

2"-fc/4 < < min(2^23'=/4). 

Such a Djv can be chosen because v < k implies v — 
k/4 < miii(i;, 3fc/4). Also, if w < fc/4 in the lower 
bound, it means we can take any value of D/y > 1. 
Multiplying the above inequality by D single — 2'^^'^, we 
get: 

2" < = Ds^ngle X Diy < min(2''+'=/4 , 2'= ) < 2^ 

The pre-processing complexity satisfies: 

iV ^ KV_ k+v-v ^ K. 
D D 
The online complexity satisfies: 

T = D + Tsingle < 2'= + 2'=/2 « 2^= - K 

■ 

Remark 3: In this proof, we have used Msingie = 2^1"^ 
which is chosen to get the lowest value for Tsingle- However, 
we could have chosen Msingie (and thus M) to be lower to get 
a higher value for T single- This is because the online attack 
complexity T is a sum of D and Tgmgie and D is usually 
much higher than the optimal (lowest) value for Tsingie- For 
example, in the attack on AES-256 in Section IVl-BI 

Msingie = MxDjy/V = 2146+96-128 = 2"4 < 2^28 ^ 2256/2. 

Thus we can optimize the proof of Theorem [T] to use less 
memory when estimating the attack complexities in practice. 
From Theorem [T] we have the following corollary: 

Corollary 1: In a stream cipher, the pre-processing and 
online complexity of the attack of Section |IV] are both faster 
than exhaustive search if and only if the IV length is less than 
the key length. 

Therefore to protect against the attack of Section |IV] we may 
design stream ciphers with IV length equal to key length. 

For the sake of comparison, we prove the following propo- 
sition. From here, we see that our attack, which allows for 
faster pre-processing, is more effective than the HS-TMD 
and DK-TMD attacks. It also imposes a more stringent 
constraint on the length of the IV for adequate security. 
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Theorem 2: 1) In the BS-TMD attack f8l on a stream 
cipher, the pre-processing and online attack complexity 
are both faster than exhaustive search if and only if the 
state size is less than 3/2 times the key length. 

2) In the HS-TMD attack 120] on a stream cipher, the pre- 
processing and online attack complexity are both faster 
than exhaustive search if and only if the IV length is 
less than half the key length. 

3) In the DK-TMD attack fTTl on a stream cipher, the pre- 
processing complexity cannot be faster than exhaustive 
search irrespective of the IV length. 

Proof: 

1) (<^=) Suppose N > K^/^. If the online attack complexity 
T is less than exhaustive search, i.e. T < K, then < 
T implies D 
satisfies: 

N 

P = — > 

Thus we cannot have both online and pre-processing 
complexity faster than exhaustive search. 
(^) Suppose N < K^/^. Choose D = N^/^ and M = 
iVi/3. Then 



TABLE I 

TMD Attack of SectionHvIon Estream Finalists 



< K^/^, and pre-processing complexity 



p = 



T 



N^'^ < K. 



2) 



Furthermore, the condition < T also holds. 
The HS-TMD attack is just the BS-TMD attack with 
KV . Thus the pre-processing and online attack 



3) 



complexity cannot both be faster than exhaustive search 
if and only if = KV > K^/^, which is equivalent to 
the condition V > K^/'^. 

Since Djy is the number of IV's, we have Djv < V, 
which implies the pre-processing of the DK-TMD attack 
satisfies P = KV/Div > K. 



1) Applications to Estream Finalists.: Besides the cipher 
Grain-vl and Grain- 128 |18| which we attacked in Sections 
IV-AI and IV-BI the other Esti-eam finahsts Rabbit, Salsa20, 
SOSEMANUK and MICKEY HO), H), H, are also 
susceptible to our attack by Theorem 1, because the IV size is 
smaller than the key size as shown in Table I] The attack does 
not apply to HC-128 and Trivium 1281 . lfT2l because the key 
size is equal to the IV size. In comparison, the BS-TMD, HS- 
TMD and DK-TMD Attacks fSl, EqI, HT) on these stream 
ciphers are not faster than exhaustive search by Theorem |2] 

The attack complexities of Table H] are obtained based on 
the computation in the proof of Theorem IVII-AI 

For K = 2128 and V = 2^^, we use Ds^ngle = 2^2, 
2^0, M = 2^6 to get P = 2i"", T = 2^2. 

For K = 2«o and V = 2^4, we use D.^ngie = 22", 
2^8, M = 2^4 to get P = 2^^, T = 2^^^ 

2) Applications to Block Ciphers: Many of today's block 
ciphers has block size 128-bit (also IV size) and key sizes 128, 
192 or 256-bit as specified by the NIST Advanced Encryption 
Standard competition. This includes the five finalists Rijndael, 



Div = 



Div = 



Cipher 


Key 


IV 


State 


Pre- 


Online 








Size 


processing 


Attack 


HC-128 


128 


128 


O TT70 

32778 






Rabbit 


128 


64 


513 


2iuu 


2«^ 


Salsa20 


128 


64 


512 


2iuu 


292 


SOSEMANUK 


128 


64 


384 


2iuu 


292 


Grain-vl 


80 


64 


160 


2Vb 


2bS 


MICKEY-V2 


80 


64 


200 


2'" 


2b8 


TRIVIUM 


80 


80 


288 







Note : By looking at the state size and IV size (see Theorem O, the 
BS-TMD, HS-TMD and DK-TMD attacks cannot break the above 
Estream Ciphers. 



TABLE II 

TMD Attack of SectionITvIon Block Ciphers 



Cipher 


Key 


IV 


Pre- 


Online 








processing 


Attack 


Rijndael 


192 


128 


2i.b 


2144 




256 


128 


2224 


2160 


Serpent 


192 


128 


2iVo 


2144 




256 


128 


2224 


2160 


Twofish 


192 


128 


2ivb 


2144 




256 


128 


2224 


2160 


RC6 


192 


128 


2iVb 


2144 




256 


128 


2224 


2160 


MARS 


192 


128 


2iVb 


2144 




256 


128 


2224 


2160 


IDEA 


128 


64 


2i()() 


2U2 


SAFER 


128 


64 


2ii)u 


2U2 


KASUMI 


128 


64 


2iiiu 


2U2 


SMS4 


128 


128 






AES-128 


128 


128 







Note : By looking at the IV size (see Theorem O, the HS-TMD and 
DK-TMD attacks cannot break the above Block Ciphers. 



Serpent, Twofish, RC6 and MARS n31. ifTll. Il27l. Il26l. Il9]l. 
When they are used in modes of operation like CBC, CFB, 
OFB and counter mode, the versions with 192-bit and 256-bit 
keys are susceptible to our attack as shown in the computations 
of Section |Vl] and by Theorem 1 . Also, well-known ciphers 
like IDEA, SAFER SK-128 and KASUMI El, |l24l, ll25l . 
has 64-bit block (IV) and 128 -bit key, so again by Theorem 1, 
they can be broken by our attack. The attack does not apply 
to SMS4 and AES-128 because the 128-bit key size is equal 
to the IV size. In comparison, the HS-TMD and DK-TMD 
Attacks IHl, II20I . ifTTl on these block ciphers are not faster 
than exhaustive search by Theorem |2l For reference, we list 
the key and IV sizes of the block ciphers we considered in 
Table in 

The attack complexities of Table are obtained based on 
the computation in the proof of Theorem IVII-AI 

For K = 2^92 and V = 2^"^^, we use D,,„„ie = 2*^ 



'^single 

296, M = 2106 to get P = 2™, T = 2^^\ 
For K = 2^92 and V = 2^"^^, we use D^ingie 

2^6, M ^ 2146 to get P = 2224 ^nd T = 2^^°. 
For K = 2128 and V = 2^4, we use D,i,,gi^ 

2^0, M = 2^6 p ^ 2i"0 and T = 2^2. 



Dtv = 



i48 



i32 



D 



IV 



D 



IV 



g 



B. Usage of short IVs 

In practice, IV resync information is frequently sent. So to 
save bandwidth, it might be advantageous to use shorter IV for 
better performance. But as pointed out by Hong and Sarkar in 
II20I Section 3.3] on the original Estream call for ciphers and 
II20I Section 3.4] on the GSM A5/3 ciphers, short IV's will 
lead to attacks with low complexity. 

However, if the secret key is long, e.g. 256-bit, then the 
pre-computation and online attack complexity, though faster 
than exhaustive search, might still be impractical to launch. 
Let us formalize this notion in the following proposition. 

Proposition 1: Consider a stream cipher with key space 
K ^ 2'' and IV space V = 2". Let K secure = 2" be an 
attack complexity that is impractical to launch in practice. If 
the IV length is at least 2s — k, then the pre-processing and 
onUne complexity of the attack of Section |IV] cannot both be 
faster than K secure- 
Proof: For the online attack complexity to be faster than 
Ksecure = 2^, we need T = D + Tsmgie < 2* which implies 
Z) < 2*. However, the pre-processing complexity is: 

KV 

p _ ___ ^ r)k+(2s — k) — s _ ns ly- 

^ _0 secure- 

■ 

Example 1: Consider a stream cipher with 192-bit key and 
suppose 2^^*^ to be an impractical complexity to attack, then 
we just need an IV of length 2 x 160 - 192 = 128 bits. 

Example 2: Consider a stream cipher with 256-bit key and 
suppose 2^^° to be an impractical complexity to attack, then 
we just need an IV of length 2 x 160 — 256 = 64 bits. 

VIII. New Improved Time-Memory-Data Trade-Off 
Attack on Multiple Users 

In this section, we show that the attack complexities of our 
attack can be improved further by considering the multi-user 
setting. The idea of using time-memory-data trade-off to attack 
multi-users was first proposed by Biryukov et al. at fE\ to 
break UNIX password hashes, and later refined by Choy et al. 
for multiple-encryption lfT4l . In this scenario, the adversary 
succeeds if he breaks the key of one out of Duser users. 

We describe our attack as follows. Let N = K x V where 
K is the key space and V is the IV space. We assume a 
known plaintext attack where each ciphertext bit corresponds 
to a keystream bit. 

1) The attacker fixes three parameters: 

a) Div'- The number of IV re-syncs in an online 
attack. 

b) D single'- The amount of ciphertext bits (equiva- 
lently keystream bits) transmitted for each IV. 

c) Duser'- The number of users, of which the adver- 
sary only needs to break one out of Duser keys. 

The total number of online data is Z) = Djv x D single x 

Duser - 

2) He chooses V/{Div x Duser) IV's randomly. For each 
fixed IV, he goes through the pre-processing phase 
of a BS-TMD attack with pre-processing complex- 
ity KjDsingie and memory M single- The total pre- 
processing time is VjiDiv X Duser) X KjD single = 



NjD. The total memory used is M = V/{Div x 

Duser) X single- 

3) In an online attack, the attacker waits for an IV to occur 
for one of the Duser users which matches one of his 
pre-computed IV. Since the probability of a matching 

IV is {V/{Div X Duser)) /V - l/{DlV X Duser), this 

is expected to occur for one of the Duser users after 
Djv IV-resyncs. Because Dsingie bits are transmitted 
per IV, the total waiting time for a matching IV is Djv x 

Dsingie D / Duser - 

4) After the attacker observes a matching IV, he proceeds 
to do a TMD attack with complexity: 

Tsingle — ^,3 „ r)2 ' 

single single 

to find the secret key. The online complexity, which 
adds D/ Duser (time to wait for a pre-processed IV) 
and Tsingle (attack complexity on a single IV), is: 

single 



T 



-^user 

D 

Duser 

D 



at2 7-)2 

single single 



-^user 
because Msingle 

D 



m ^ IV ^ single^ user 



M X 



Div X D 



Duser M^D^' 
because N ^ KV, D = DivDsingleDuser- 

The necessary conditions for this attack to work is that 

Tsingle > (Dsingie)'^ and Div X Duser < V. 

In the attack of Section |IV] D (the waiting time for a pre- 
computed IV) dominates Tsingle (the online attack complexity 
for that IV). So reducing D to D/ Duser would be able to 
reduce the online attack complexity T by a factor of Duser - 

Let us apply the attack to some ciphers below. 

A. Multi-User TMD Attack on Grain-] 28 

The key space is K = 2^^® and IV space is V = 2^^, which 
implies N = KV ^ 2^24. 

In Section lV-Bl we appHed TMD attack with Dsingie = 2^^^ 
Div = 2^2 < 2^^, to get pre-processing complexity P = 2 
With a memory of M = 2^°, the attack complexity is T 



120 



)104 



llOO 



2 ^"4^ where T,, 



)100 



> 



D -\- Tsingle 
264 ^ ^2 

single 

Our Multi-User Attack: Choose Dsingie — 2^^, Duser — 
22", Biv = 2^2^ tijgjj ^^^^^ X Div ^ 2^2 < ^ Tphe 
total online data is 



D — Div X Dsingie X Duser — 2 



114 



= 2 



110 



and pre-processing complexity is 

P = N/D = 2224-114 

Let the total memory used be M — 2^^. Then, the attack 
complexity on a single user and IV satisfies: 

Tsingle = / {M^ D^) = 22(224-65-114) ^ > 2^^ = i^^.^e, 
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and the total online attack time is: 

^ — ^ I ^ user ^ ^single — 2 



^94 



Thus we have both pre-processing P and online attack T faster 
than the attack of Section IV-BI by 2^^, while using 2^ less 
memory. 

B. Multi-User TMD Attack on AES-256 

The key space is K = 2^56 and IV space is V = 2^28, 
which implies N = KV = 2^^'^. 

As mentioned in Section IVI-BI Hong and Sarkar attacked 
AES-256 with M = 2^^^ and D = 2^^ to get T ^ 
22(384-192-96) ^ 2^^^ > . However, the pre-processing 
complexity is P = N/D = 2^^^'"^*^ = 2"^^^ which is worse 
than exhaustive search. 

Then in Section IVI-BI we applied TMD attack with 
Dstngie = 2^4, D 2^^ < 2^28, to prc-proccssing 
complexity P = 2'^^^. With a memory of M — 2^^^, the 
attack complexity is T = D + T,„,„/e = 2^^^ + 2^'"^ « 2^^^°, 
where Tsingie 



— Z J> Z. — single- 



Our Multi-User Attack: Choose Dsingie = 2^"*, D^ser = 
22", Div = 2^6^ then Duser x Div = 2"^^ < 2i28 = V. The 
total online data is = Djv x Dgingie x D^ser = 2^^*^ and 
pre-processing complexity is 

P^7V/i? = 23«4-i™ =2214. 

Let the total memory used be M = 2^41 Then, the attack 
complexity on a single user and IV satisfies: 

Ts^ngle = / {M^ D^) = 2^(384-141-170) ^ ^^.^ > ^2^^^^^^ 



and the total online attack time is: 



T = D/D, 



rp ol 

^ single ^ 



il46 



Thus we have both pre-processing P and online attack T faster 
than the attack of Section IVI-Bl bv 2^", while using 2*^ less 
memory. 

IX. Key Length Equal IV Length Does Not Provide 
Adequate Protection in the Multi-User Setting 

By Theorem |2] we see that the HS-TMD attack cannot 
work when the IV length is at least half the key length. 
However in the multi-user setting, the HS-TMD attack can 
break ciphers with pre-processing and online complexity faster 
than exhaustive search even when the IV length is longer than 
half the key length. Therefore, Zenner ll29l suggested that 
the IV length should be equal to the key length for adequate 
protection against TMD attacks in the multi-user setting. This 
is also used as a guideline in some estream cipher design like 
HC-128 and Trivium. 

On a related note, we showed in Corollary [T] that the attack 
of Section HVl cannot work if the IV length is equal to the key 
length. But we showed in section IVIIII that if we adapt the 
attack of Section |IV] to the multi-user setting, it can perform 
better than the original attack of Section |IV] Thus it may have 
a chance to break ciphers where IV length is equal to the key 
length, e.g. Trivium, AES-128 and HC-128. We shall show 
that this is indeed true with the following examples. 



A. Multi-User Attack on Trivium 

The key space is i^T = 2^*^ and IV space isV^ 2®", which 
implies N = KV = 2^^^. 

Choose D,,ngle = Duser = 2^", D ly = 236, jjjen 

Duser X Div = 2^^ < 2^° = V. The total onhne data is £> = 
Djv X Dsingie X Duser = 2^*^ and pre-processing complexity 
is 

P = Ar/i? = 2i6"-«« = 2^^ 

Let the total memory used be M = 2^'^. Then, the attack 
complexity on a single user and IV satisfies: 



_ r,64 > p)2 

^ — ^ singlei 



Ts^ngle = {M^ D^) = 2^(160-40 

and the total online attack time is: 

T D f Duser ^" ^single 2 -\- 2 ~ 2 

Thus we have both pre-processing and online attack faster than 
exhaustive search 2*", although the IV length is equal to key 
length. 

B. Multi-User Attack on AES-128 and HC-128 

The key space is K ^ 2^28 ^nd IV space is = 2^^^, 

which implies N = KV = 2^56. 

Choose Ds,ngie = 2^6, D^ser = 2^", Djy = 2"^°, then 

Duser X D/v = 2*° < 2^28 ^ V. The total onHne data is £> = 

Djv X Dsingie X Duser ~ 2^36 ^nd prc-proccssing complexity 

is 



P = N/D = 2 



256-136 



il20 



Let the total memory used be M = 2^^. Then, the attack 
complexity on a single user and IV satisfies: 

Ar2 //' A,f2 02(256-64-136) oll2 ^ rfi 

1 single ^ N / {M D ) = 2 ' = 1 > Dsingie, 

and the total online attack time is: 

n / r) -I- 1^ oll6 I cyll2 ^ 

^ / -^user I ^single ^ i z ^ z 

Thus we have both pre-processing and online attack faster than 
exhaustive search 2^"^^, although the IV length is equal to key 
length. 

C. Generic Result 

We generalize the above computation in the following 
theorem. 

Theorem 3: Let the key length and IV length of a stream 
cipher be equal. Then the multi-user TMD attack of Section 
IVIIII can break it with pre-computation and online attack 
complexity faster than exhaustive search. 

Proof: Let key size and IV size he K — V — 2''. Then 
N = KV = 2^^. 

Choose Duser = 2" where < u < 2k/ 3, Dsingie = 
2fe/2-3«/4 j^jjjj jj^^ ^ 2*^/2. Then the total online data is: 

D = Dsrngle X Djy X Duser = 2^+"^^ 

The pre-processing complexity satisfies: 

p ^ ^ ^ 22k-{k+u/i) ^ 2'=-"/4 < X 

D 
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Choose a memory size of M = 2'^/2+«/2. The online attack 
for a single user and IV is: 

Ts^ngle - Jp^^ 

_ n2{2k-(k/2+u/2)-(k+u/A)) _ r,k-3u/2 ^ t^2 

— ^ — ^ ^ '-'single- 

The online complexity satisfies: 

I T\ _LT^ r)/c — 3u/4 I r)fc — 3u/2 ^ r)fc — 3u/4 ^ jy- 

— / -^user I single — ^ \^ ^ Z <^ j\ . 

■ 

Thus we conclude that ciphers with the same key length 
and IV length can still be broken (faster than exhaustive 
search) by our TMD attack in the multi-user setting. 

D. Choice of IV Length in the Multi-User Setting 

As in Section IIX-DI the following proposition gives the IV 
length which would protect a stream cipher against our multi- 
user TMD attack, assuming Kgecure = S'* is an infeasible 
complexity for the adversary to attack. 

Proposition 2: Consider a network of 2" users communi- 
cating with a stream cipher having key space K = 2^ and 
IV space V = 2"" . Let K secure = be an attack complexity 
that is impractical to launch in practice. If the IV length is at 
least 2s + u — fc, then the pre-processing and online complexity 
of the multi-user TMD attack of Section IVIIII cannot both be 
faster than K secure- 
Proof: For the online attack complexity to be faster than 

^secure 2 , We need T — D j D^ser ~t~ Tsingle ^ 2 

which implies D/Duser < 2^*, i.e. D < 2'' x Duser = 2''+". 
However, the pre-processing complexity is: 

KV 

p ^ r)k+(2s + U-k) — (s + u) _ r)S TJ- 

_0 secure- 

■ 

Example 3: Consider a network of 2^° users communicat- 
ing with a stream cipher having 128-bit key. Suppose we want 
exhaustive search to be infeasible, i.e. Ksecure = 2^'^^. Then 
we need an IV of length 2 x 128 + 20 - 128 148 bits, which 
is longer than the key length. 

Example 4: Consider a network of 2^° users communi- 
cating with a stream cipher having 192-bit key. Suppose 
Ksecure = 2^^° is an impractical complexity to attack, then 
we need an IV of length 2 x 160 + 20 - 192 = 148 bits. 

X. Conclusion 

We have proposed a new time-memory-data trade-off attack 
that performs better than existing ones. It has a similar trade- 
off curve as existing attacks but a new set of necessary 
conditions on the online data Djv and D single, which allows 
us to attack previously unbroken ciphers. We prove that we 
can have both pre-processing and online attack complexity 
faster than exhaustive search whenever the IV length is less 
than the key length. We applied our attack to break the Estream 
ciphers such as Grain-vl, Rabbit, Salsa20, SOSEMANUK and 
MICKEY ESI, m, S, El, 0; and also the block ciphers 
such as Rijndael, Serpent, Twofish, RC6, MARS, IDEA, 



SAFER SK-128 and KASUMI IB], IT], 123, EH, 13, El, 
El, E3 in CBC, CFB, OFB and counter modes of operation. 
Finally, we looked at our attack in the multi-user setting where 
the adversary just needs to break one out of many users, 
e.g. in breaking UNIX password schemes. In that case, the 
attack complexity can be reduced further Two examples are 
presented on Grain-128 and AES-256, where both the pre- 
processing and online attack complexities are reduced by 2^° 
and memory is reduced by 2^ when 2^" users are attacked. 
Finally, we showed that the stream cipher guideline of key 
length equal IV length may not be sufficient to protect against 
multi-user TMD attacks and proceed to demonstrate attacks 
against Trivium, HC-128 and AES-128 with pre-processing 
and online complexity faster than exhaustive search. 
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